Sunday, June 20, 2010

Wow. Can’t believe how long it has been since I’ve been able to find enough free time to do do a forensic focused link-fest post.

Rest assured, I’ve been hard at work in the trenches, ever vigilant for tips and tricks to help both forensic pros and sysadmins find common ground in responding to Windows system incidents.

I hope you won’t leave disappointed…

QCC Information Security “CaseNotes” Updated

I’ve been using QCC’s CaseNotes for some time and find it really does an excellent job fitting my needs. The Digital Standard: Case Notes had a recent post that highlighted many of the best features of this freeware tool and that got me thinking. Has it been updated lately?

M-unition » Blog Archive » Web Historian: Reloaded. Yep. MANDIANT has gone wacky and updated their already wonderful Web-Historian application and taken it to a whole new level! So far I’ve been using it in full “installed” mode. But I suspect that with some tweaking of the custom/advanced path settings it might be supported in a “portable” mode. New version supports FF2/3+, Chrome, and IE 5-8. Man! The GUI has been majorly re-worked and can scan both local and “off-line” sources. Thumbnail previews are supported on compatible browsers. It also can export a “sanitized” version of history usage for sharing. This is a really advanced tool now and worth of checking out. Did I mention it was free? Tip: Read the PDF that comes with it. Saves a lot of of time on the learning curve. From the blog post….

WinFE is not my primary forensic LiveCD. I’ve got a few others that come first in point-rotation. However, it still has a very warm and dear place in my heart.

So I was excited to see the hard work Brett Shavers has done in keeping this tool not only active, but expanding the knowledgebase and ability of others to use and build this WinPE kissing-cousin. Provided below is the main page as well as great WinFE resources and posts to peruse.

Posts (Atom) – Again because I’m having a hard time finding the site feed links. Here you go! .

Also, though not part of Brett’s project, the following Praetorian Prefect post is a great and fresh primer on WinPE and forensic work. I particularly found useful the tips on DiskPart with read-only mounting of the off-line mounted volumes/drives.

While Kon-Boot might not be a tool for most forensic folks, sysadmins could have great use for it. I’ve mentioned it a bit here on GSD and have been quite fascinated with the tricks it can perform as a bootkit.

Kon Boot – Kryptos Logic – This latest version is fully commercial and (reasonably so) you now need to pay-to-play, though a 1-user personal license is just $15.99 and a 1 year 1 user commercial license is just $60 more.

YouTube - From RegRipper to WindowsRipper – see the process in action in this sub-5-minute video including integration with a NirSoft tool for IE history reporting for each system user. I suspect this be the tip o the iceberg!

TinyApps.Org Blog : Boot any and all ISO images from USB drive. Seriously! Now pause for just a minute and image having a tool (with write-protect switch) that you could jog-select any ISO boot image file you have on board, and then boot the system with. CAINE, DEFT, HELIX, RAPTOR, WinFE, WinPE, etc and so forth. All on in a single enclosure. Yummy indeed! See below….

And because I can’t remember if I found it on WindowsIR blog or here at SANS…

nabiy.sdf1.org offers a great tool (USB History Dump) and article about extracting USB Trace Evidence from the Windows registry. See also the NirSoft tool USBDeview and the Woanware tool USBDeviceForensics.

NTPWEdit – Reset Windows password – 4sysops blog – Tool that works very well in WinPE/FE builds. Not that any of you forensic guys would be making such changes to a suspect system. However syadmins may need to if malware or sheer local-user maliciousness boggled out the Admin password.

Forensic Pagefile: SAM Cracking using Ophcrack and Encase – I’ve not used Encase to do so, but I have followed a modified method to extract SAM files from an off-lined system, brought them over into a VM running the installed version of Ophcrack, then cracked dem profile passwords to accomplish my l33t sysadmin needs (…self-mocking there guys…).

Tableau Revision History – TIM. In case you didn’t get the email, Tableau’s Imager (TIM) software product has had a few updates that are pretty important to get and upgrade to; involving both critical bug fix as well as minor ones.

Here is quite the collection of Windows-related links. Although it has been quite a while since the last one, I promise I’ve been diligently collecting the most promising links I could find, and slowly roasting them over the past weeks.

The fat has dripped out and burned on the bottom of the smoker pit leaving only these tender, flavor-laden morsels behind.

Sysinternals Update: Autoruns v10.01 – Whew! version 10.00 brought in a major update to this must-have utility; the ability to scan offline Windows systems. I’m not sure about the default setting now to auto-hide Windows (MS) entries…I prefer to see the buggers out of the box.

Network Monitor : Network Monitor 3.4 Beta Released on Connect! and BETA: Microsoft Network Monitor 3.4 - Windows Live – Network Monitor 3.4 brings with it some major GUI interface improvements and column customization. However, even more exciting are claims that parsing performance has been dramatically improved. Couple that with a new high-performance filter to avoid dropping frames, as well as more granular time-stamps. Yes, Wireshark and a few other network capture utilities seem to be king, but this is definitely packet-capture tool on the move. Because it is free there aren’t many valid excuses for Windows sysadmins to not co-load this tool along side the others.

Windows 7 SP1 public beta download to be available in July – Download Squad – Probably not as exciting a new OS SP release as was Vista SP1 & 2. Word is that this SP really just rolls up the updates that have been flowing to Windows 7. Windows 7 seems pretty great out of the gate so there hasn’t been nearly as much buzz ‘bout this one.

Newsletter #89: Changing Win 7 Default Profile and Sysprep Tricks – Mark Minasi’s Windows Networking Tech Page – Mark has a really good must-read article regarding Windows 7’s Default User Profile as well as some accompanying Sysprep tricks. We are no where near to an enterprise deployment of Windows 7 at work so I’m probably going to be Syprepping XP Pro for a few more years to come.

WinBubbles via UnlockForUs Say what you will about the web-page, but this has to be among one of the most complete Windows tweaking tools there is. It’s been a while since I did a post on Windows tweaking tools, but this will be among them when it comes. If you can wade through all the links to finally find where to download the utility (sigh) your search will be rewarded. It comes in both a localized install version as well as a portable one. FREE: WinBubble – Tweak Windows 7 – 4sysops gives a good review as well.

mRemote -- (free version) – Was a similar multi-remote connection management tool I found mentioned in a few comments about the above application. I had never heard of it before but it seems to support a very wide range of remote protocols, and allows uniform management of them all, including RDP, VNC, SSH, Telnet, HTTP/S, Rlogin and a few others. What was nice was that once you download and install, it will then assist you in locating/sourcing any additional downloads to support other protocols it can handle that it doesn’t find pre-loaded on your system. Seems to have a strong fanbase. Overview

chriscontrol - Project Hosting on Google Code -- (freeware) – ChrisControl was another interesting remote control tool I rediscovered in it’s new home on GoogleCode pages. The Beta 2 version was released in January 2010 so the author is still hard at work refining it. ChrisControl is curious in that as long as you have the target system’s IP address/hostname and a valid account id/pw, then you have a good chance of connecting to it. First it see if RDP or VNC is installed/running. if RDP is available, it uses that to connect. If VNC is present it will use that. If neither, then it prompts the user to remote install VNC server on the target system! You have options to uninstall the VNC server when done.

I’d recently posted this link to the Remotely Enable Remote Desktop :: IntelliAdmin - (free tool) – but it seems appropriate to re-include it again. This utility automates a trick to get RDP started when not enabled on the box.. Get the micro-file from this link: Enable Remote Desktop – Remotely (exe download-link from IntelliAdmin). I tend to avoid direct links but the download link from their blog-post page actually points to their full-featured application, and not the standalone tool. I’ve had the opportunity over the past few weeks to use this tool a few times and every time it save my bacon.

TeamViewer 5 is now out (free for personal (non-commercial) usage) and has some new enhancements. Check out the TeamViewer Download page. There is also a TeamViewer Portable version. I found really cool that if you download the setup installer and run it, it gives you two options; “Install” to fully install on the system or “Run” to execute TeamViewer on the system “portably/temporarily” (and without the need for the user profile to have “admin” privileges on the system. That’s a cool feature that calls to mind the way ShowMyPC offers the exe download of it’s own product which when executed, unpacks and runs…rather than installs. ShowMyPC, btw, was updated recently to v3050. Speaking of TeamViewer, I had been able to use TeamViewer on WinPE builds with great success. However, the newest versions didn’t seem to execute well. I did manage to create an ugly work-around that again lets me keep use of TeamViewer as an option to remote-connect to a WinPE 3.0 booted system. Yes, another blog post awaits on this one…

2X Client Portable 8.1.870 Released -- PortableApps.com. This multi-connection management tool has also been recently updated. It also is similar to the Microsoft RDC-Manager and does support RDP connections. I’ve dipped my feet into using it a bit as well and was pleasantly surprised with the performance. I really like the “tabbed” remote system display arrangement. While the “client” tool is free, you can also use it to connect to systems running the 2x Application Server. Check out the 2X ApplicationServer download page for more information on that side of operations.

Free Microsoft Money!

No. Seriously! I mean it! Get Microsoft Money free. This “Sunset” version doesn’t require any on-line activation. It is really slick and for a former Quicken user, is very mature and polished. Lavie and I love it. What don’t you get with this wonderful and sophisticated yet approachable financial management tool? Well, as well as I can tell, almost nothing is missing except integration with Microsoft’s own on-line “Live” capabilities, which for the poor folk like Lavie and I, isn’t much we would be using currently anyway. It is simply an amazing opportunity.

Even if you don’t really think you would use it, if you don’t already have a personal finance management (banking/credit/loans/etc.) software, download this and play around. Heck, at least download the installer and keep it handy. Read the download details page linked below carefully for full details.

All versions of Money Plus sold at retail and online, required users to perform an “Online Activation” step in order to keep using the product, even if online services had already expired. Online Activation was also required for every machine onto which Money Plus was installed. Now that Money Plus is no longer available for purchase, the online activation step will eventually become unnecessary and unsupported. This Money Plus Sunset package is targeted at removing the activation dependency. There are two versions of Money Plus Sunset. The Money Plus Sunset Deluxe version is meant to replace Premium, Deluxe, and Essentials versions of Money Plus. The Money Plus Sunset Home and Business version is meant to replace Money Plus Home and Business. Please note that Money Plus Sunset versions come preconfigured with: · No online services (no online quotes, no bill payment, no statement downloads initiated by Money, no data sync with MSN Money online services, etc…) · No support services (support services are limited to online self-help only, see Money Plus Sunset EULA and Microsoft’s Support Lifecycle pages for more details) · No need to activate the product.

Don’t let all that scare you off. You can still manually import transactions from banks (if they support MS Money or compatible formats) down into this version of MS Money to save time from hand-entering them.

Seriously…Microsoft is giving away Money for free. Who would have ever thunk?

Google Sites

So a while back I was working on another side project and found some tips on using Google Sites to host files and other materials for downloading by your blog’s fans. Sounded like a clever idea although I do have a handy and free Box.net account already with a few publically made shared folders like that one that contains reg.keys for enabling/disabling InPrivate Mode for IE 8.

Eventually I came back to Google Sites and figure it had enough features and such to be worthwhile to set up a basic GSD site page. Nothing there worth seeing for now, but in time I might be able to use it to make a more technically organized website of tips and such.

There are lots of pre-built templates to get started with. I chose a “project tracking” format for some reason. We’ll see what happens.

Of course, all the USB HDD talk has got me crazy thinking about other related items.

Into The Boxes: Issue 0×0 had a great tip from Don C. Weber on page 14 regarding re-purposing the controller/connecter from external HDD enclosures . Sure, toss (destroy/hammer) the bad 2.5” HDD, but keep the USB mini-port to SATA hardware adapter in your kit. It’s a dead-simple way to access SATA drives and is a “green-recycling” solution to boot.

USB Boot Without BIOS Support – Kent Hall’s “What the….?” blog – Although most all “modern” BIOS systems support booting from external USB devices (properly configured of course), some hardware you encounter might not. Chris’s trick involves using PLoP Boot Manager and RawWrite (if making a floppy) to create a bootable floppy/CD pre-booter if you will, that then leverages up the USB device to do the actual post-pre-booting from. Not an everyday need but so simple it wouldn’t hurt to have such a boot-CD pre-crafted, just in case. PLoP Boot Manager supports a number of features and is worth looking at even if this scenario doesn’t fit your need.

Free Firewalls for Windows

Currently, the Windows 7 firewalls and my own home router are providing me sufficient firewall protection for my comfort zone. Maybe in a while I will revisit my Windows Firewall post roundup and see which ones still remain and if any new-comers of late are present.

RasterVect Softwarescan. – (freeware) – Great tool to convert raster images into vector formats. See also Vector Magic which can “vectorize” bitmap images online for free or the $ desktop version. I really love and depend on Vector Magic.

Bing’s Best-3, Windows 7 Themepack Released – The Windows Club. I love to download these themepacks and extract the wallpapers from them. I’ve got a massive wallpaper folder I run now with these best-of images. Beautiful stuff.

DiskDigger – Newly updated file-recover program that (unfortunately) isn’t free any longer (see tool blog page The move to shareware for the breakdown). It still will work, but just not as conveniently. The Portable Freeware Collection - Disk Digger page does contain a link to the last really “free” version 0.8.3, so while you don’t get the added features and spanking GUI from the new v1.0, you still can get much of the same functionality.

For Chrome/ium goodness, I’m relying on the amazing Portable Google Chrome 4.1.249.1059 as packaged by Stadt-Bremhaven. The thing that has won me over with this particular portable-ization is the inclusion of the additional Neue Version des Portable Chrome Updaters which is an exe that when run offers to download/unpack/update your portable Chrome; in your favorite flavor as long at it is “Dev Channel”, “Beta Channel” “Release Channel” or my personal taste pick “Chromium”. Quench that thirst!

How to Improve Extension Startup Performance – Mozilla Add-ons Blog is an interesting read on maybe the roadmap to come and the love/hate relationship with Firefox extensions; something great for customization and making a really practical browser, but potentially performance impacting with weigh-down.

Internet Explorer 9 and Safari 5 – The Windows Blog team. Of course IE guys would have a bone or two to pick with Safari 5 in a side-by-side comparison, wouldn’t they? I’m sure it is 100% objective.

Saturday, June 19, 2010

I’ve been very busy, hard at work for the taxpayers of Texas who pay my salary, making sure they get the most bang-for-the-buck with their own hard-earned dollars. Thank you kindly.

I’m also grounded on my primary system…the silly Gateway laptop. Seems the DC plug fix about a year ago failed again in the past couple of months so now I’ve had to rig the laptop up on my desk…static-style…to keep it running. Kinda defeats the purpose of a laptop. However I’m not willing to invest another $250 in a 2nd solder repair. So I’m negotiating with Lavie and doing some shopping/dream-system config-ing on the Dell site. I’m bouncing back-n-forth between a Alienware system or a Studio 17 build. I think the Alienware case is a bit cheezy for my tastes. I’m open to other suggestions as well. Looking around at $1,300 price point or so which still seems like a LOT of money to this penny-pincher. Leaning to the Dell line as I’ve supported these at work for 10 years or so and they are very reliable and sturdy systems. Loving my new Latitude E6400 system at work (though it is still running XP Pro).

Dream features:

Quad-core Intel i5 processor (or higher to 8 processor threads with an Intel i7 chip perhaps?), 6GB RAM, 500 GB SATA drive, 512-1GB video system. Blu-ray support and a true 1080 HD supported screen. I really would hope to find a modular DC-plug solution such that if the jack fails, its not hard-mounted on the system-board. This is a lot of fire-power but I do lots of virtualization and hope to crank up some higher-end digital video/photo processing work as well. Besides…it may be the first chance I’ve had to actually design and select my very own laptop system, so as an investment, it makes sense to get something I really would be proud to use.

As noted, our shop is beginning a round of system refreshes for our end users. In the end we are looking at close to 1000+ systems. Our sub 20-person team would be greatly challenged to deliver this so a vendor was contracted to assist.

The factory images are “fresh” but not out of the oven fresh. So the vendor setup/migration times are running 2-4 hours per system. I know. Right? So one of the things we do to minimize migration time for our own techs are deploy the fresh-baked images I prepare for our systems. These are fully updated with all MS and third-party software patches, as well as contain our own system tweaks that are done post-install. As such we can deploy a system in less than 1 hour.

Typically we deploy the images using bootable USB HDD’s and manually feeding the disk-prep and image application commands manually.

I’ve always toyed with the idea of scripting the process but with close to ten different images, and different HDD system configurations it is a bit challenging. So we’ve kept with the manual model for now.

One drawback is that if the techs aren’t paying attention to drive lettering in DiskPart, more than one has wiped the portable HDD they are serving the images from. Oops!

Imaging for the Vendor

However, we wanted to retain some control over the images provided to our vendor, and giving them the system images (2 system configurations at this point) on a HDD wasn’t a popular idea. Luckily each image would fit on a DVD and handing out/collecting DVD’s is much easier than USB HDD…and much more durable.

So I did some research and came up with a slick scripted mix of command-line batch goodness, ImageX/Diskpart fun, and WinPE to boot; literally!

He uses a series of batch files and a text file to automate the process.

I did have some issue with the version/commands offered in his 2007 version and the choices.exe file used at that time and the newer ones. For lots of sources on additional “choices.exe” background check out this About choice.com and choice.exe page.

However, I eventually got it armed and working.

Construction

I did a stock WinPE 3.0 build in a winpe_x86 folder and added three additional folders under the “ISO” folder; “images”, “scripts”, and “tools”.

In the “images” folder I placed the WIM file for the particular system the DVD was designed for use in image deployment.

In the “scripts” folder I placed the “choice.exe” file I got working, a “deployimage_localimage.bat” file, a deployimage_networkimage” file, a ”diskpartcmds.txt” file and finally a “menu.bat” file.

The choice.exe file I used reports as 19.5 KB and dated 12/9/1994. I have some more work to do on this but this one works for now.

Although pulling the WIM image file from the network or a USB drive could be supported, I’ve tweaked it at bit to just support the DVD-based local image disk prepping and imaging.

In the “tools” folder, just my “imagex.exe” file is present.

The menu.bat file consists of the following, slightly tweaked from Neil’s OEM script. It is this batch file that is called once the PE reaches the CMD prompt.

Note: the blog template is doing some text-wrapping here so double check against Neil’s original and also copy/paste any actual batch scripts below into Notepad or your fav. text editor to ensure you get the full line formats. Line-breaks in incorrect places can cause the processes to fail.

You can pop over to the original link I provided to find the network imaging deployment batch file if you want.

Final Thoughts

Using an optical-based DVD source for the image does take a bit longer to access/copy the data rather than a portable HDD or flash-media based source. So keep that in mind. If you had a few 4-6 GB flash drives you could easily make them bootable and apply this solution to them instead. DVD’s are relatively cheap and easy to make duplicates of. And if one is damaged no biggie. Plus you don’t have to worry about files getting overwritten!

I’m sure there are more sophisticated and elegant solutions.

Because you can “stack” images inside an imagex wim file, with some more work you could easily create a single wim file that could support multiple systems. Then with some clever updates to the batch file and image-picker lines, you could call whichever image package you wanted from a single wim file. Depending on how big your base image was and the add-on levels, it might not fit on even a DVD, but still, it would probably work out for an 8-16 GB flash drive; and be crazy-easy on a bootable USB HDD drive.

Credits

Why this? It is the simple blog of a Last Exile fan and is intended to express the enjoyment we derive from studio Gonzo's production. Although we closely relate with those characters, we aren't them in real life. We just want to keep the memory of these incredible young kids alive. So go buy Gonzo's Last Exile DVD's!